ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"
Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"
ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.
This makes them comply but Is this enough? NO
This post was triggered by thoughts after
> Reading Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.
> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?
Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings
No comments:
Post a Comment